Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I believe nova-network does this by using 'conntrack -D -r $fixed_ip' when the
floating IP goes away (search for clean_conntrack), Neutron doesn't when it
removes the floating IP.  Seems like it's possible to close most of that gap
in the l3-agent - when it removes the IP from it's qg- interface it can do a
similar operation.

- -Brian

On 06/26/2014 03:36 PM, Vishvananda Ishaya wrote:
> I believe this will affect nova-network as well. We probably should use 
> something like the linux cutter utility to kill any ongoing connections 
> after we remove the nat rule.
> 
> Vish
> 
> On Jun 25, 2014, at 8:18 PM, Xurong Yang <idopra at gmail.com> wrote:
> 
>> Hi folks,
>> 
>> After we create an SSH connection to a VM via its floating ip, even 
>> though we have removed the floating ip association, we can still access 
>> the VM via that connection. Namely, SSH is not disconnected when the 
>> floating ip is not valid. Any good solution about this security issue?
>> 
>> Thanks Xurong Yang _______________________________________________ 
>> OpenStack-dev mailing list OpenStack-dev at lists.openstack.org 
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 
> 
> 
> _______________________________________________ OpenStack-dev mailing list
>  OpenStack-dev at lists.openstack.org 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQEcBAEBAgAGBQJTrIcUAAoJEIYQqpVulyUoAXgH/Az/t1aH+zrtEPTrn89oumw0
ru/ZJJj6M2zn/ASml9durZW2knSsHzE0H39Y1Y51AvD4TYfD4C16l9ZiwGRE8tsG
b4qKFdRzMBrEKwEttV0SsCOYMcBA6+A7w/NBkDUQnr9y6dwQcf2v+pvVKx0u/kXa
1vroeraoClY/wIJOrTj5sORfXEaI5l1FgbGf2i33AFuKDyxATUST6ROzazQ6i/tw
eXmKjl0IBgY1xBYww0kolZOv+VwZt4V+4BMp9GggrsB7zwW2N2YRO5B42cg2zqUU
T4Kfsf0PaFb2FIDP1tjbAS5FtQucHitH6g5lr7aK1QFBeWehHz8yTeAlTh66NfQ=
=8kPr
-----END PGP SIGNATURE-----